On Mon, Mar 13, 2006 at 12:25:13AM +0100, Martin Schulze wrote: > An algorithm weakness has been discovered in Apache2::Request, the > generic request library for Apache2 which can be exploited remotely > and cause a denial of service via CPU consumption.
Looks like the backport was incomplete, unfortunately; it breaks file uploads (see #358689). I've made a fix (attached) which seems to fix the problem for me; Gunnar, could you please test it on your side too? /* Steinar */ -- Homepage: http://www.sesse.net/
diff -ur libapreq2-perl-2.04-dev/debian/changelog libapreq2-perl-2.04-dev-fixupload/debian/changelog --- libapreq2-perl-2.04-dev/debian/changelog 2006-03-31 16:48:01.000000000 +0200 +++ libapreq2-perl-2.04-dev-fixupload/debian/changelog 2006-03-31 16:49:58.000000000 +0200 @@ -1,3 +1,10 @@ +libapreq2-perl (2.04-dev-1sarge2) stable-security; urgency=low + + * Fix incomplete backport from -1sarge1, breaking file uploads. + (Closes: #358689) + + -- Steinar H. Gunderson <[EMAIL PROTECTED]> Fri, 31 Mar 2006 16:48:30 +0200 + libapreq2-perl (2.04-dev-1sarge1) stable-security; urgency=high * [CVE-2006-0042] Eliminate potential quadratic behavior in diff -ur libapreq2-perl-2.04-dev/src/apreq_parsers.c libapreq2-perl-2.04-dev-fixupload/src/apreq_parsers.c --- libapreq2-perl-2.04-dev/src/apreq_parsers.c 2006-03-31 16:48:01.000000000 +0200 +++ libapreq2-perl-2.04-dev-fixupload/src/apreq_parsers.c 2006-03-31 16:50:05.000000000 +0200 @@ -397,7 +397,6 @@ APREQ_DECLARE_PARSER(apreq_parse_headers) { apr_pool_t *pool = apreq_env_pool(env); - apr_ssize_t nlen, glen, vlen; apr_bucket *e; struct hdr_ctx *ctx; @@ -531,14 +530,14 @@ case '\t': ctx->status = HDR_CONTINUE; ++off; - vlen += 2; + ctx->vlen += 2; break; default: /* can parse brigade now */ if (off > 0) apr_bucket_split(e, off); - s = split_header(t, ctx->bb, ctx->nlen, glen, vlen); + s = split_header(t, ctx->bb, ctx->nlen, ctx->glen, ctx->vlen); if (s != APR_SUCCESS) { ctx->status = HDR_ERROR; return s;